I currently have a test environment with an exchange 2013 configuration being load balanced by an HAProxy virtual machine. All is working moderately well, mail routes with no problem and there are no major issues. However, I have noticed two (2) oddities that I have been unable to remedy…

The first is that, I am able to get to the OWA portal just fine using https (https://mail.domain.com). Yet, when I attempt to use http to resolve the page, it returns nothing. Exchange 2013 is configured to redirect any http connection to https but when you attempt to resolve http://mail.domain.com, the browsers just spins. I believe that this is because i’m using layer 4 (TCP) load balancing instead of http load balancing.

Is there a way to forward any incoming request on port 80 to 443 on the back end using “TCP Mode”? Or is there an alternate configuration using “http mode” available that does NOT require loading an ssl certificate into HAProxy (All encryption/decryption will be handled by the CAS server… HAProxy simply forwards the incoming connections to said servers)?

The second issue I have is that, periodically, my test outlook account will display “connection to server lost”. It only does this for a few moments and then immediately reconnects and everything is fine. I have increased the timeouts in the defaults section but this did not seem to have any effect. Also, there are a large amount of “Client connection resets during transfers” in the HAProxy status page.

Configuration can be found below. Any insight/assistance is greatly appreciated!

By the way, your configuration is broken by design. Each of your listen section binds the same IP address and port. Which means for new incoming connections, your kernel is going to pick up any of the TCP socket to forward it the connection. Imagine, you want to use OWA and the kernel affect you to the Autodiscover bind socket…
I mean, it currently “works” by luck because all the exchange servers can deliver all the services and in 2013, no persistence is required at all.

An other point:

listen Autodiscover 1.2.2.45:443

is forbidden and should be written:

listen Autodiscover
bind 1.2.2.45:443 ssl crt <pemfile>

For your last problem, we need to see the log lines to further troubleshoot.

I will read through the guide fully as soon as I am able; I expect that my second problem is directly related to the issues you outlined above.

As for the “ssl crt” statements, I do not have any in the configuration. Aside from the statistics section, that is the entire config. I skimmed through the guide and I would say that (at least in theory/thought process) I am trying to setup HAProxy as a raw TCP transparent proxy… As such, would I need to specify an ssl cert (.pem) for use if HAProxy isn’t actually looking at any of the contents of the packets?